Public Power Cyber Incident Response Playbook
Acknowledgment: This material is based upon work supported by the Department of Energy under Award Number(s)
DE-OE0000811.
Disclaimer: This report was prepared as an account of work sponsored by an agency of the United States Government.
Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or
otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States
Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government or any agency thereof.
The information in this Public Power Cyber Incident Response Playbook is provided strictly as reference material
only; it is not intended to be legal advice nor should it be considered as such.
Playbook Development
This Playbook was developed by Nexight Group with technical support from the American Public
Power Association and its members. We would like to acknowledge the following individuals who
provided their time, resources, and knowledge to the development of this Playbook:
Public Power Utilities
Bernie Acre, Bryan Texas Utilities
Matt Knight, Owensboro Municipal Utilities
Cheryl Anderson, Florida Municipal Electric Association
Melvyn Kwek, Guam Power Authority
Bill Berry, Owensboro Municipal Utilities
Matt Lee, Platte River Power Authority
Randy Black, Norwich Public Utilities
Ken Lewis, Salt River Power
David Boarman, Owensboro Municipal Utilities
Chris Lindell, Beatrice City Board of Public Works
Phil Clark, Grand River Dam Authority
Carter Manucy, Florida Municipal Power Agency
Jim Compton, Burbank Water and Power
Robby McCutcheon, Kerrville Public Utility Board
Josh Cox, City of Westerville
Rob Morse, Platte River Power Authority
Adrian de la Cruz, Kerrville Public Utility Board
Michelle Nall, Glendale Water & Power
Maggie Deely, American Municipal Power, Inc.
Erik Norland, Chelan Public Utility District
Colin Hansen, Kansas Municipal Utilities
Steve Schmitz, Omaha Public Power District
Jennifer Keesey, Northwest Public Power Association
Chad Schow, Franklin Public Utility District
Branndon Kelley, American Municipal Power, Inc.
Kenneth Simmons, Gainesville Regional Utilities
Mike Klaus, Central Nebraska Public Power & Irrigation Dist.
Scott Smith, Bryan Texas Utilities
Kurt Knettel, New Braunfels Utilities
Howard Wong, Glendale Water & Power
Association Staff
Association Partners
Jack Cashin, American Public Power Association
Kaitlin Brennan, Edison Electric Institute
Chris Ching, American Public Power Association
Jason Christopher, Axio Global
Meena Dayak, American Public Power Association
Chris Kelley, Beam Reach Consulting Group
Alex Hofmann, American Public Power Association
Lindsay Kishter, Nexight Group
Nathan Mitchell, American Public Power Association
Aaron Miller, MS-ISAC
Sam Rozenberg, American Public Power Association
John Meckley, Edison Electric Institute
Giacomo Wray, American Public Power Association
Mark Mraz, Beam Reach Consulting Group
Jason Pearlman, Nexight Group
Valecia Stocchetti, MS-ISAC
Paul Tiao, Hunton Andrews Kurth
The American Public Power Association is the voice of not-for-profit, community-owned utilities
that power 2,000 towns and cities nationwide. We represent public power before the federal
government to protect the interests of the more than 49 million people that public power utilities
serve, and the 93,000 people they employ. Our association advocates and advises on electricity
policy, technology, trends, training, and operations. Our members strengthen their communities
by providing superior service, engaging citizens, and instilling pride in community-owned power.
Table of Contents
1. Executive Summary.......................................................................................................................4
2. Getting Started: Building a Cyber Incident Response Plan and Procedures..........................6
3. Engaging Help: Activating the Response Team and Engaging
Industry and Government Resources.......................................................................................16
4. Digging Deeper: Technical Response Procedures for Detection,
Containment, Eradication, and Recovery.................................................................................25
5. Strategic Communication Procedures......................................................................................33
6. Cyber Incident Response Legal Procedures.............................................................................40
7. Sample Cyber Incident Scenarios..............................................................................................43
Appendix A: Incident Response Plan Outline...............................................................................48
Appendix B: Incident Handling Form Templates.........................................................................51
Appendix C: DOE Electric Emergency Incident Disturbance Report (OE-417)...........................56
Appendix D: Sample Cyber Mutual Assistance NDA....................................................................61
Appendix E: Resources and References........................................................................................65
1 EXECUTIVE SUMMARY
How to Use the Playbook
Overview of Playbook Guidance
The Playbook provides step-by-step guidance for small to
mid-sized public power utilities to help them prepare a
cyber incident response plan, prioritize their actions and
engage the right people during cyber incident response,
and coordinate messaging. The playbook serves three
key purposes:
This Playbook provides utilities with practical guidance
and critical considerations in preparing for a cyber
incident and developing a response plan that enables
staff to take swift, effective action. Cybersecurity
managers can use the playbook as a step-by-step guide to
prepare for an incident.
1. Provides guidance to help a utility develop its cyber
Identify your cyber incident response team.
incident response plan and outline the processes and
procedures for detecting, investigating, eradicating,
and recovering from a cyber incident.
2. Maps out the industry and government partners that
public power utilities can engage during a significant
cyber incident to share information, get support
for incident analysis and mitigation, and coordinate
messaging for incidents that require communication
with customers and the public.
3. Outlines the process for requesting cyber mutual aid
from utilities across the energy industry for a cyber
event that significantly disrupts utility business or
operational energy delivery systems and overwhelms
in-house cyber resources and expertise.
Clarify who the key players are, outline roles and
responsibilities, and clearly identify which individuals
have the authority to take critical response actions.
Document how to contact team members 24/7,
designate an alternate for key roles, and outline a battle
rhythm for how and when the team will convene and
deliver updates.
Identify contacts and response service
contracts for cybersecurity service providers
and equipment vendors.
Keep an updated list of vendor contacts and the support
they can provide if a vulnerability is identified in vendor
equipment. Identify a contact person for the Internet
Service Provider (ISP). If the utility has contracted with
third-party service providers for incident investigation,
forensic analysis, or other forms of incident response
support, identify the contact person, determine the
process for engaging their support, and identify the
person on the Cyber Incident Response Team (CIRT) who
is authorized to engage their services. Determine the
expected response timelines for each partner.
Understand the system and environment.
Document where system maps, logs, and inventories are
kept and maintained, along with the person who has the
credentials to access them. Document access credentials
and procedures for removing access or providing
temporary access to incident responders.
Outline your incident reporting requirements
and timelines.
Depending on the type or severity of a cyber incident,
utilities may be required to report the incident to
Public Power Cyber Incident Response Playbook | 4
EXECUTIVE
SUMMARY
1
2
3
regulatory agencies and local/state/federal officials, often
within the first 24 hours of an incident, and sometimes
as little as 6 hours. Determine your legal and contractual
obligations to report incidents to federal/state/local
officials, insurance providers, and other third parties.
Identify the response procedures the CIRT will
take to investigate, contain, eradicate, and
recover from a variety of different incidents.
Document procedures for investigation and
documentation, incident containment actions for various
types of attacks, and procedures for cleaning and
restoring systems. Identify and pre-position the resources
needed to preserve evidence, make digital images of
affected systems, and conduct a forensic analysis, either
internally or with the assistance of a third-party expert.
Identify the external response organizations¡ª
including law enforcement, information
sharing organizations, and cyber mutual
assistance groups¡ªthe utility might engage
during cyber incident response, particularly
for severe incidents that outpace utility
resources and expertise.
authority to engage these organizations and at what
point they should be notified.
4
Develop strategic communication procedures
for cyber incidents.
6
Identify the key internal and external communications
stakeholders, what information to communicate
and when, and what type of cyber incidents warrant
internal communication with employees and public
communication with customers and the media. Develop
key messages and notification templates in advance.
Define response procedures and
responsibilities of the utility¡¯s legal team
during cyber incident investigation and
response.
Cyber incident response should be planned, coordinated,
and executed under the guidance of the legal team.
The Playbook includes an outline for a cyber incident
response plan, a process for response planning, and
offers high-level procedures and templates that a
utility can use to develop its own response plan.
Identify key contacts within external response
organizations and build personal relationships
in advance of an incident. Determine how much
information to share and when. Document who has the
Public Power Cyber Incident Response Playbook | 5
5
7
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- risk management handbook rmh chapter 08 incident response
- security incident response timeline considerations
- writing incident reports tips and examples
- ics cert incident response summary report cisa
- nwcg incident response pocket guide irpg pms 461
- incident response plan summary veritas
- incident response guides irgs emsa
- incident response plan introduction scope
- michigan dam incident response review
- computer security incident handling guide
Related searches
- best cyber security etfs 2019
- incident report form doc
- free incident report form printable
- free incident report form
- free printable incident report template
- blank incident report pdf
- free blank incident report forms
- employee incident report forms printable
- incident report form in word
- best cyber security stocks 2019
- best cyber security stocks
- cyber security eft